Skip to content

Commit bbf63ef

Browse files
MHaggisMHaggis
committed
Changed to Hunting
1 parent a87f5f2 commit bbf63ef

File tree

2 files changed

+4
-29
lines changed

2 files changed

+4
-29
lines changed

detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ version: 1
44
date: '2025-02-03'
55
author: Michael Haag, Splunk
66
status: production
7-
type: Anomaly
7+
type: Hunting
88
description: This detection identifies potentially suspicious usage of Invoke-Sqlcmd PowerShell cmdlet, which can be used for database operations and potential data exfiltration. The detection looks for suspicious parameter combinations and query patterns that may indicate unauthorized database access, data theft, or malicious database operations. Threat actors may prefer using PowerShell Invoke-Sqlcmd over sqlcmd.exe as it provides a more flexible programmatic interface and can better evade detection.
99
data_source:
1010
- Powershell Script Block Logging 4104
@@ -104,7 +104,7 @@ search: '`powershell` EventCode=4104 ScriptBlockText="*invoke-sqlcmd*"
104104
| `security_content_ctime(firstTime)`
105105
| `security_content_ctime(lastTime)`
106106
| `windows_powershell_invoke_sqlcmd_execution_filter`'
107-
how_to_implement: To successfully implement this detection, you need to be ingesting PowerShell logs with Script Block Logging and Module Logging enabled. The detection looks for Invoke-Sqlcmd usage in PowerShell scripts and evaluates the parameters and queries for suspicious patterns. Configure your PowerShell logging to capture script block execution and ensure the logs are mapped to the PowerShell node of the Endpoint data model.
107+
how_to_implement: To successfully implement this detection, you need to be ingesting PowerShell logs with Script Block Logging and Module Logging enabled. The detection looks for Invoke-Sqlcmd usage in PowerShell scripts and evaluates the parameters and queries for suspicious patterns. Configure your PowerShell logging to capture script block execution and ensure the logs are mapped to the PowerShell node of the Endpoint data model. The analytic will need to be tuned based on organization specific data. Currently, set to hunting to allow for tuning. Invoke-Sqlcmd is a legitimate tool for database management and scripting tasks within enterprise environments.
108108
known_false_positives: Database administrators and developers frequently use Invoke-Sqlcmd as a legitimate tool for various database management tasks. This includes running automated database maintenance scripts, performing ETL (Extract, Transform, Load) processes, executing data migration jobs, implementing database deployment and configuration scripts, and running monitoring and reporting tasks. To effectively manage false positives in your environment, consider implementing several mitigation strategies. First, establish a whitelist of known administrator and service accounts that regularly perform these operations. Second, create exceptions for approved script paths where legitimate database operations typically occur. Additionally, it's important to baseline your environment's normal PowerShell database interaction patterns and implement monitoring for any deviations from these established patterns. Finally, consider adjusting the risk score thresholds based on your specific environment and security requirements to achieve an optimal balance between security and operational efficiency.
109109
references:
110110
- https://learn.microsoft.com/en-us/powershell/module/sqlserver/invoke-sqlcmd
@@ -119,16 +119,6 @@ drilldown_searches:
119119
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
120120
earliest_offset: $info_min_time$
121121
latest_offset: $info_max_time$
122-
rba:
123-
message: A PowerShell script contains Invoke-Sqlcmd command with EventCode $EventCode$ on host $dest$
124-
risk_objects:
125-
- field: dest
126-
type: system
127-
score: 49
128-
- field: user
129-
type: user
130-
score: 49
131-
threat_objects: []
132122
tags:
133123
analytic_story:
134124
- SQL Server Abuse

detections/endpoint/windows_sqlcmd_execution.yml

Lines changed: 2 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ version: 1
44
date: '2025-02-03'
55
author: Michael Haag, Splunk
66
status: production
7-
type: Anomaly
7+
type: Hunting
88
description: This detection identifies potentially suspicious usage of sqlcmd.exe, focusing on command patterns that may indicate data exfiltration, reconnaissance, or malicious database operations. The detection looks for both short-form (-X) and long-form (--flag) suspicious parameter combinations, which have been observed in APT campaigns targeting high-value organizations. For example, threat actors like CL-STA-0048 have been known to abuse sqlcmd.exe for data theft and exfiltration from compromised MSSQL servers. The detection monitors for suspicious authentication attempts, output redirection, and potentially malicious query patterns that could indicate unauthorized database access or data theft.
99
data_source:
1010
- Sysmon EventID 1
@@ -159,7 +159,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
159159
| where is_help_check=0 AND (risk_score >= 30 OR (has_parameters=1 AND has_suspicious_query=1))
160160
| `security_content_ctime(firstTime)`
161161
| `security_content_ctime(lastTime)` | `windows_sqlcmd_execution_filter`'
162-
how_to_implement: The detection is based on data that originates from Endpoint Detection
162+
how_to_implement: The analytic will need to be tuned based on organization specific data. Currently, set to hunting to allow for tuning. SQLCmd is a legitimate tool for database management and scripting tasks within enterprise environments. The detection is based on data that originates from Endpoint Detection
163163
and Response (EDR) agents. These agents are designed to provide security-related
164164
telemetry from the endpoints where the agent is installed. To implement this search,
165165
you must ingest logs that contain the process GUID, process name, and parent process.
@@ -190,21 +190,6 @@ drilldown_searches:
190190
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(risk_score) as "Risk Score" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
191191
earliest_offset: -7d
192192
latest_offset: now
193-
rba:
194-
message: SQLCMD, $process_name$, was executed on $dest$ by $user$ with parameters indicative of suspicious database access and potential data exfiltration
195-
risk_objects:
196-
- field: dest
197-
type: system
198-
score: 50
199-
- field: user
200-
type: user
201-
score: 10
202-
- field: process_name
203-
type: other
204-
score: 10
205-
threat_objects:
206-
- field: parent_process_name
207-
type: parent_process_name
208193
tags:
209194
analytic_story:
210195
- SQL Server Abuse

0 commit comments

Comments
 (0)